From 67635a7f8df47fa7eb9d7a437ee93f3037e67869 Mon Sep 17 00:00:00 2001 From: Saleem Abdulrasool Date: Mon, 14 Apr 2014 02:37:23 +0000 Subject: [PATCH] tools: address possible non-null terminated filenames If a filename is a multiple of 18 characters, there will be no null-terminator. This will result in an invalid access by the constructed StringRef. Add a test case to exercise this and fix that handling. Address this same vulnerability in llvm-readobj as well. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@206145 91177308-0d34-0410-b5e6-96231b3b80d8 --- .../llvm-objdump/Inputs/file-aux-record.yaml | 21 ++++++++++++++++++ .../coff-non-null-terminated-file.test | 5 +++++ .../llvm-readobj/Inputs/file-aux-record.yaml | 21 ++++++++++++++++++ .../coff-non-null-terminated-file.test | 20 +++++++++++++++++ tools/llvm-objdump/llvm-objdump.cpp | 22 ++++++------------- tools/llvm-readobj/COFFDumper.cpp | 5 ++++- 6 files changed, 78 insertions(+), 16 deletions(-) create mode 100644 test/tools/llvm-objdump/Inputs/file-aux-record.yaml create mode 100644 test/tools/llvm-objdump/coff-non-null-terminated-file.test create mode 100644 test/tools/llvm-readobj/Inputs/file-aux-record.yaml create mode 100644 test/tools/llvm-readobj/coff-non-null-terminated-file.test diff --git a/test/tools/llvm-objdump/Inputs/file-aux-record.yaml b/test/tools/llvm-objdump/Inputs/file-aux-record.yaml new file mode 100644 index 00000000000..d19afaf68a8 --- /dev/null +++ b/test/tools/llvm-objdump/Inputs/file-aux-record.yaml @@ -0,0 +1,21 @@ +header: !Header + Machine: IMAGE_FILE_MACHINE_I386 # (0x14c) + Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ] +sections: +symbols: + - !Symbol + Name: .file + Value: 0 + SectionNumber: 65534 + SimpleType: IMAGE_SYM_TYPE_NULL + ComplexType: IMAGE_SYM_DTYPE_NULL + StorageClass: IMAGE_SYM_CLASS_FILE + File: eighteen-chars.obj + - !Symbol + Name: '@comp.id' + Value: 13485607 + SectionNumber: 65535 + SimpleType: IMAGE_SYM_TYPE_NULL + ComplexType: IMAGE_SYM_DTYPE_NULL + StorageClass: IMAGE_SYM_CLASS_STATIC + diff --git a/test/tools/llvm-objdump/coff-non-null-terminated-file.test b/test/tools/llvm-objdump/coff-non-null-terminated-file.test new file mode 100644 index 00000000000..125994ff086 --- /dev/null +++ b/test/tools/llvm-objdump/coff-non-null-terminated-file.test @@ -0,0 +1,5 @@ +RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-objdump -t - | FileCheck %s + +CHECK: .file +CHECK: AUX eighteen-chars.obj{{$}} + diff --git a/test/tools/llvm-readobj/Inputs/file-aux-record.yaml b/test/tools/llvm-readobj/Inputs/file-aux-record.yaml new file mode 100644 index 00000000000..d19afaf68a8 --- /dev/null +++ b/test/tools/llvm-readobj/Inputs/file-aux-record.yaml @@ -0,0 +1,21 @@ +header: !Header + Machine: IMAGE_FILE_MACHINE_I386 # (0x14c) + Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ] +sections: +symbols: + - !Symbol + Name: .file + Value: 0 + SectionNumber: 65534 + SimpleType: IMAGE_SYM_TYPE_NULL + ComplexType: IMAGE_SYM_DTYPE_NULL + StorageClass: IMAGE_SYM_CLASS_FILE + File: eighteen-chars.obj + - !Symbol + Name: '@comp.id' + Value: 13485607 + SectionNumber: 65535 + SimpleType: IMAGE_SYM_TYPE_NULL + ComplexType: IMAGE_SYM_DTYPE_NULL + StorageClass: IMAGE_SYM_CLASS_STATIC + diff --git a/test/tools/llvm-readobj/coff-non-null-terminated-file.test b/test/tools/llvm-readobj/coff-non-null-terminated-file.test new file mode 100644 index 00000000000..8bd88f3708e --- /dev/null +++ b/test/tools/llvm-readobj/coff-non-null-terminated-file.test @@ -0,0 +1,20 @@ +RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-readobj -t - | FileCheck %s + +CHECK: Symbols [ +CHECK: Symbol { +CHECK: Name: .file +CHECK: Value: 0 +CHECK: StorageClass: File +CHECK: AuxSymbolCount: 1 +CHECK: AuxFileRecord { +CHECK: FileName: eighteen-chars.obj{{$}} +CHECK: } +CHECK: } +CHECK: Symbol { +CHECK: Name: @comp.id +CHECK: Value: 13485607 +CHECK: StorageClass: Static +CHECK: AuxSymbolCount: 0 +CHECK: } +CHECK: ] + diff --git a/tools/llvm-objdump/llvm-objdump.cpp b/tools/llvm-objdump/llvm-objdump.cpp index 313816e56e9..8d5035efcdf 100644 --- a/tools/llvm-objdump/llvm-objdump.cpp +++ b/tools/llvm-objdump/llvm-objdump.cpp @@ -669,17 +669,7 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) { const coff_symbol *symbol = 0; for (int i = 0, e = header->NumberOfSymbols; i != e; ++i) { if (aux_count--) { - switch (symbol->StorageClass) { - default: outs() << "AUX Unknown\n"; - case COFF::IMAGE_SYM_CLASS_STATIC: - // Section definition. Follows a symbol-table record that defines a - // section. Such a record has a symbol name that is the name of a - // section and has storage class STATIC (3). - if (symbol->Value) { - errs() << "invalid entry in Symbol Table"; - break; - } - + if (symbol->isSectionDefinition()) { const coff_aux_section_definition *asd; if (error(coff->getAuxSymbol(i, asd))) return; @@ -693,15 +683,17 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) { << format("assoc %d comdat %d\n" , unsigned(asd->Number) , unsigned(asd->Selection)); - break; - case COFF::IMAGE_SYM_CLASS_FILE: + } else if (symbol->isFileRecord()) { const coff_aux_file *AF; if (error(coff->getAuxSymbol(i, AF))) return; - outs() << "AUX " << StringRef(AF->FileName) << '\n'; + + StringRef Name(AF->FileName, (aux_count + 1) * COFF::SymbolSize); + outs() << "AUX " << Name.rtrim(StringRef("\0", 1)) << '\n'; i = i + aux_count; aux_count = 0; - break; + } else { + outs() << "AUX Unknown\n"; } } else { StringRef name; diff --git a/tools/llvm-readobj/COFFDumper.cpp b/tools/llvm-readobj/COFFDumper.cpp index 69be82ec3e7..8d08d021a38 100644 --- a/tools/llvm-readobj/COFFDumper.cpp +++ b/tools/llvm-readobj/COFFDumper.cpp @@ -977,7 +977,10 @@ void COFFDumper::printSymbol(const SymbolRef &Sym) { break; DictScope AS(W, "AuxFileRecord"); - W.printString("FileName", StringRef(Aux->FileName)); + + StringRef Name(Aux->FileName, + Symbol->NumberOfAuxSymbols * COFF::SymbolSize); + W.printString("FileName", Name.rtrim(StringRef("\0", 1))); } else if (Symbol->isSectionDefinition()) { const coff_aux_section_definition *Aux; if (error(getSymbolAuxData(Obj, Symbol + I, Aux)))